If the chunk_size is very close to the maximum value of an integer,
we trigger an integer overflow when checking if we have a trailing
newline after the payload.
Reported by OSS-Fuzz as:
https://oss-fuzz.com/testcase-detail/
6439610474692608
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=56804
(cherry picked from commit
b602982fc5b4fb9139dec591541e0c070ceb47f5)
#include "yahttp.hpp"
+#include <limits>
+
namespace YaHTTP {
template class AsyncLoader<Request>;
throw ParseError("Unable to parse chunk size");
}
if (chunk_size == 0) { state = 3; break; } // last chunk
+ if (chunk_size > (std::numeric_limits<decltype(chunk_size)>::max() - 2)) {
+ throw ParseError("Chunk is too large");
+ }
} else {
int crlf=1;
if (buffer.size() < static_cast<size_t>(chunk_size+1)) return false; // expect newline